chore: Manually forbidden after Authorize

Emyrk · Emyrk · commit 6ef164758574 · 2022-06-10T09:44:14.000-05:00
diff --git a/coderd/authorize.go b/coderd/authorize.go
@@ -7,7 +7,6 @@ import (
 
 	"cdr.dev/slog"
 
-	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
 	"github.com/coder/coder/coderd/rbac"
 )
@@ -17,12 +16,17 @@ func AuthorizeFilter[O rbac.Objecter](api *API, r *http.Request, action rbac.Act
 	return rbac.Filter(r.Context(), api.Authorizer, roles.ID.String(), roles.Roles, action, objects)
 }
 
-func (api *API) Authorize(rw http.ResponseWriter, r *http.Request, action rbac.Action, object rbac.Objecter) bool {
+// Authorize will return false if the user is not authorized to do the action.
+// This function will log appropriately, but the caller must return an
+// error to the api client.
+// Eg:
+//	if !api.Authorize(...) {
+//		httpapi.Forbidden(rw)
+//	}
+func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool {
 	roles := httpmw.AuthorizationUserRoles(r)
 	err := api.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, action, object.RBACObject())
 	if err != nil {
-		httpapi.Forbidden(rw)
-
 		// Log the errors for debugging
 		internalError := new(rbac.UnauthorizedError)
 		logger := api.Logger
diff --git a/coderd/files.go b/coderd/files.go
@@ -22,7 +22,8 @@ func (api *API) postFile(rw http.ResponseWriter, r *http.Request) {
 	apiKey := httpmw.APIKey(r)
 	// This requires the site wide action to create files.
 	// Once created, a user can read their own files uploaded
-	if !api.Authorize(rw, r, rbac.ActionCreate, rbac.ResourceFile) {
+	if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceFile) {
+		httpapi.Forbidden(rw)
 		return
 	}
 
@@ -86,9 +87,7 @@ func (api *API) fileByHash(rw http.ResponseWriter, r *http.Request) {
 	}
 	file, err := api.Database.GetFileByHash(r.Context(), hash)
 	if errors.Is(err, sql.ErrNoRows) {
-		httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
-			Message: fmt.Sprintf("File %q not found.", hash),
-		})
+		httpapi.ResourceNotFound(rw, fmt.Sprintf("File %s", hash))
 		return
 	}
 	if err != nil {
@@ -99,8 +98,10 @@ func (api *API) fileByHash(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !api.Authorize(rw, r, rbac.ActionRead,
+	if !api.Authorize(r, rbac.ActionRead,
 		rbac.ResourceFile.WithOwner(file.CreatedBy.String()).WithID(file.Hash)) {
+		// Return 404 to not leak the file exists
+		httpapi.ResourceNotFound(rw, fmt.Sprintf("File %s", hash))
 		return
 	}
 
diff --git a/coderd/gitsshkey.go b/coderd/gitsshkey.go
@@ -14,7 +14,8 @@ import (
 func (api *API) regenerateGitSSHKey(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
 
-	if !api.Authorize(rw, r, rbac.ActionUpdate, rbac.ResourceUserData.WithOwner(user.ID.String())) {
+	if !api.Authorize(r, rbac.ActionUpdate, rbac.ResourceUserData.WithOwner(user.ID.String())) {
+		httpapi.Forbidden(rw)
 		return
 	}
 
@@ -62,7 +63,8 @@ func (api *API) regenerateGitSSHKey(rw http.ResponseWriter, r *http.Request) {
 func (api *API) gitSSHKey(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
 
-	if !api.Authorize(rw, r, rbac.ActionRead, rbac.ResourceUserData.WithOwner(user.ID.String())) {
+	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceUserData.WithOwner(user.ID.String())) {
+		httpapi.Forbidden(rw)
 		return
 	}
 
diff --git a/coderd/httpapi/httpapi.go b/coderd/httpapi/httpapi.go
@@ -76,6 +76,12 @@ type Error struct {
 	Detail string `json:"detail" validate:"required"`
 }
 
+func ResourceNotFound(rw http.ResponseWriter, resource string) {
+	Write(rw, http.StatusNotFound, Response{
+		Message: fmt.Sprintf("%s does not exist.", resource),
+	})
+}
+
 func Forbidden(rw http.ResponseWriter) {
 	Write(rw, http.StatusForbidden, Response{
 		Message: "Forbidden.",
diff --git a/coderd/httpmw/organizationparam.go b/coderd/httpmw/organizationparam.go
@@ -45,9 +45,7 @@ func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler
 
 			organization, err := db.GetOrganizationByID(r.Context(), orgID)
 			if errors.Is(err, sql.ErrNoRows) {
-				httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
-					Message: fmt.Sprintf("Organization %q does not exist.", orgID),
-				})
+				httpapi.ResourceNotFound(rw, fmt.Sprintf("Organization %q", orgID))
 				return
 			}
 			if err != nil {
diff --git a/coderd/httpmw/templateparam.go b/coderd/httpmw/templateparam.go
@@ -47,9 +47,7 @@ func ExtractTemplateParam(db database.Store) func(http.Handler) http.Handler {
 			}
 
 			if template.Deleted {
-				httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
-					Message: fmt.Sprintf("Template %q does not exist.", templateID),
-				})
+				httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %s", templateID))
 				return
 			}
 
diff --git a/coderd/httpmw/templateversionparam.go b/coderd/httpmw/templateversionparam.go
@@ -34,9 +34,7 @@ func ExtractTemplateVersionParam(db database.Store) func(http.Handler) http.Hand
 			}
 			templateVersion, err := db.GetTemplateVersionByID(r.Context(), templateVersionID)
 			if errors.Is(err, sql.ErrNoRows) {
-				httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
-					Message: fmt.Sprintf("Template version %q does not exist.", templateVersionID),
-				})
+				httpapi.ResourceNotFound(rw, fmt.Sprintf("Template version %s", templateVersionID))
 				return
 			}
 			if err != nil {
diff --git a/coderd/httpmw/workspacebuildparam.go b/coderd/httpmw/workspacebuildparam.go
@@ -34,9 +34,7 @@ func ExtractWorkspaceBuildParam(db database.Store) func(http.Handler) http.Handl
 			}
 			workspaceBuild, err := db.GetWorkspaceBuildByID(r.Context(), workspaceBuildID)
 			if errors.Is(err, sql.ErrNoRows) {
-				httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
-					Message: fmt.Sprintf("Workspace build %q does not exist.", workspaceBuildID),
-				})
+				httpapi.ResourceNotFound(rw, fmt.Sprintf("Workspace build %q", workspaceBuildID))
 				return
 			}
 			if err != nil {
diff --git a/coderd/httpmw/workspaceparam.go b/coderd/httpmw/workspaceparam.go
@@ -32,9 +32,7 @@ func ExtractWorkspaceParam(db database.Store) func(http.Handler) http.Handler {
 			}
 			workspace, err := db.GetWorkspaceByID(r.Context(), workspaceID)
 			if errors.Is(err, sql.ErrNoRows) {
-				httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
-					Message: fmt.Sprintf("Workspace %q does not exist.", workspaceID),
-				})
+				httpapi.ResourceNotFound(rw, fmt.Sprintf("Workspace %s", workspaceID))
 				return
 			}
 			if err != nil {
diff --git a/coderd/members.go b/coderd/members.go
@@ -39,13 +39,15 @@ func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
 	added, removed := rbac.ChangeRoleSet(member.Roles, impliedTypes)
 	for _, roleName := range added {
 		// Assigning a role requires the create permission.
-		if !api.Authorize(rw, r, rbac.ActionCreate, rbac.ResourceOrgRoleAssignment.WithID(roleName).InOrg(organization.ID)) {
+		if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceOrgRoleAssignment.WithID(roleName).InOrg(organization.ID)) {
+			httpapi.Forbidden(rw)
 			return
 		}
 	}
 	for _, roleName := range removed {
 		// Removing a role requires the delete permission.
-		if !api.Authorize(rw, r, rbac.ActionDelete, rbac.ResourceOrgRoleAssignment.WithID(roleName).InOrg(organization.ID)) {
+		if !api.Authorize(r, rbac.ActionDelete, rbac.ResourceOrgRoleAssignment.WithID(roleName).InOrg(organization.ID)) {
+			httpapi.Forbidden(rw)
 			return
 		}
 	}
diff --git a/coderd/organizations.go b/coderd/organizations.go
@@ -19,9 +19,10 @@ import (
 func (api *API) organization(rw http.ResponseWriter, r *http.Request) {
 	organization := httpmw.OrganizationParam(r)
 
-	if !api.Authorize(rw, r, rbac.ActionRead, rbac.ResourceOrganization.
+	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceOrganization.
 		InOrg(organization.ID).
 		WithID(organization.ID.String())) {
+		httpapi.ResourceNotFound(rw, fmt.Sprintf("Organization %q", organization.ID))
 		return
 	}
 
@@ -32,8 +33,9 @@ func (api *API) postOrganizations(rw http.ResponseWriter, r *http.Request) {
 	apiKey := httpmw.APIKey(r)
 	// Create organization uses the organization resource without an OrgID.
 	// This means you need the site wide permission to make a new organization.
-	if !api.Authorize(rw, r, rbac.ActionCreate,
+	if !api.Authorize(r, rbac.ActionCreate,
 		rbac.ResourceOrganization) {
+		httpapi.Forbidden(rw)
 		return
 	}
 
diff --git a/coderd/parameters.go b/coderd/parameters.go
@@ -26,7 +26,8 @@ func (api *API) postParameter(rw http.ResponseWriter, r *http.Request) {
 	if !ok {
 		return
 	}
-	if !api.Authorize(rw, r, rbac.ActionUpdate, obj) {
+	if !api.Authorize(r, rbac.ActionUpdate, obj) {
+		httpapi.Forbidden(rw)
 		return
 	}
 
@@ -85,7 +86,8 @@ func (api *API) parameters(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !api.Authorize(rw, r, rbac.ActionRead, obj) {
+	if !api.Authorize(r, rbac.ActionRead, obj) {
+		httpapi.Forbidden(rw)
 		return
 	}
 
@@ -120,8 +122,9 @@ func (api *API) deleteParameter(rw http.ResponseWriter, r *http.Request) {
 	if !ok {
 		return
 	}
-	// A delete param is still updating the underlying resource for the scope.
-	if !api.Authorize(rw, r, rbac.ActionUpdate, obj) {
+	// A deleted param is still updating the underlying resource for the scope.
+	if !api.Authorize(r, rbac.ActionUpdate, obj) {
+		httpapi.ResourceNotFound(rw, fmt.Sprintf("Parameter %s with scope %s", scopeID, scope))
 		return
 	}
 
@@ -132,10 +135,7 @@ func (api *API) deleteParameter(rw http.ResponseWriter, r *http.Request) {
 		Name:    name,
 	})
 	if errors.Is(err, sql.ErrNoRows) {
-		httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
-			Message: fmt.Sprintf("No parameter found at the provided scope with name %q.", name),
-			Detail:  err.Error(),
-		})
+		httpapi.ResourceNotFound(rw, fmt.Sprintf("Parameter %s with scope %s", scopeID, scope))
 		return
 	}
 	if err != nil {
diff --git a/coderd/roles.go b/coderd/roles.go
@@ -16,7 +16,8 @@ func (api *API) assignableSiteRoles(rw http.ResponseWriter, r *http.Request) {
 	// TODO: @emyrk in the future, allow granular subsets of roles to be returned based on the
 	// 	role of the user.
 
-	if !api.Authorize(rw, r, rbac.ActionRead, rbac.ResourceRoleAssignment) {
+	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceRoleAssignment) {
+		httpapi.Forbidden(rw)
 		return
 	}
 
@@ -30,7 +31,8 @@ func (api *API) assignableOrgRoles(rw http.ResponseWriter, r *http.Request) {
 	// 	role of the user.
 	organization := httpmw.OrganizationParam(r)
 
-	if !api.Authorize(rw, r, rbac.ActionRead, rbac.ResourceOrgRoleAssignment.InOrg(organization.ID)) {
+	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceOrgRoleAssignment.InOrg(organization.ID)) {
+		httpapi.Forbidden(rw)
 		return
 	}
 
@@ -41,7 +43,8 @@ func (api *API) assignableOrgRoles(rw http.ResponseWriter, r *http.Request) {
 func (api *API) checkPermissions(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
 
-	if !api.Authorize(rw, r, rbac.ActionRead, rbac.ResourceUser.WithID(user.ID.String())) {
+	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceUser.WithID(user.ID.String())) {
+		httpapi.Forbidden(rw)
 		return
 	}
 
diff --git a/coderd/templates.go b/coderd/templates.go
@@ -28,6 +28,11 @@ var (
 func (api *API) template(rw http.ResponseWriter, r *http.Request) {
 	template := httpmw.TemplateParam(r)
 
+	if !api.Authorize(r, rbac.ActionRead, template) {
+		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %s", template.ID))
+		return
+	}
+
 	workspaceCounts, err := api.Database.GetWorkspaceOwnerCountsByTemplateIDs(r.Context(), []uuid.UUID{template.ID})
 	if errors.Is(err, sql.ErrNoRows) {
 		err = nil
@@ -40,10 +45,6 @@ func (api *API) template(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !api.Authorize(rw, r, rbac.ActionRead, template) {
-		return
-	}
-
 	count := uint32(0)
 	if len(workspaceCounts) > 0 {
 		count = uint32(workspaceCounts[0].Count)
@@ -54,7 +55,8 @@ func (api *API) template(rw http.ResponseWriter, r *http.Request) {
 
 func (api *API) deleteTemplate(rw http.ResponseWriter, r *http.Request) {
 	template := httpmw.TemplateParam(r)
-	if !api.Authorize(rw, r, rbac.ActionDelete, template) {
+	if !api.Authorize(r, rbac.ActionDelete, template) {
+		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %s", template.ID))
 		return
 	}
 
@@ -97,7 +99,8 @@ func (api *API) deleteTemplate(rw http.ResponseWriter, r *http.Request) {
 func (api *API) postTemplateByOrganization(rw http.ResponseWriter, r *http.Request) {
 	var createTemplate codersdk.CreateTemplateRequest
 	organization := httpmw.OrganizationParam(r)
-	if !api.Authorize(rw, r, rbac.ActionCreate, rbac.ResourceTemplate.InOrg(organization.ID)) {
+	if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceTemplate.InOrg(organization.ID)) {
+		httpapi.Forbidden(rw)
 		return
 	}
 
@@ -270,9 +273,7 @@ func (api *API) templateByOrganizationAndName(rw http.ResponseWriter, r *http.Re
 	})
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
-			httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
-				Message: fmt.Sprintf("No template found by name %q in the %q organization.", templateName, organization.Name),
-			})
+			httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %s in organization %s", templateName, organization.Name))
 			return
 		}
 
@@ -283,7 +284,8 @@ func (api *API) templateByOrganizationAndName(rw http.ResponseWriter, r *http.Re
 		return
 	}
 
-	if !api.Authorize(rw, r, rbac.ActionRead, template) {
+	if !api.Authorize(r, rbac.ActionRead, template) {
+		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %s in organization %s", templateName, organization.Name))
 		return
 	}
 
@@ -309,7 +311,8 @@ func (api *API) templateByOrganizationAndName(rw http.ResponseWriter, r *http.Re
 
 func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 	template := httpmw.TemplateParam(r)
-	if !api.Authorize(rw, r, rbac.ActionUpdate, template) {
+	if !api.Authorize(r, rbac.ActionUpdate, template) {
+		httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %s", template.ID))
 		return
 	}
 
diff --git a/coderd/templateversions.go b/coderd/templateversions.go
diff --git a/coderd/users.go b/coderd/users.go
diff --git a/coderd/workspaceapps.go b/coderd/workspaceapps.go
diff --git a/coderd/workspacebuilds.go b/coderd/workspacebuilds.go
diff --git a/coderd/workspaceresources.go b/coderd/workspaceresources.go
diff --git a/coderd/workspaces.go b/coderd/workspaces.go
diff --git a/scripts/rules.go b/scripts/rules.go

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,8 @@ func (api API) postFile(rw http.ResponseWriter, r http.Request) {`
`22`	`22`	`apiKey := httpmw.APIKey(r)`
`23`	`23`	`// This requires the site wide action to create files.`
`24`	`24`	`// Once created, a user can read their own files uploaded`
`25`		`- if !api.Authorize(rw, r, rbac.ActionCreate, rbac.ResourceFile) {`
	`25`	`+ if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceFile) {`
	`26`	`+ httpapi.Forbidden(rw)`
`26`	`27`	`return`
`27`	`28`	`}`
`28`	`29`
`@@ -86,9 +87,7 @@ func (api API) fileByHash(rw http.ResponseWriter, r http.Request) {`
`86`	`87`	`}`
`87`	`88`	`file, err := api.Database.GetFileByHash(r.Context(), hash)`
`88`	`89`	`if errors.Is(err, sql.ErrNoRows) {`
`89`		`- httpapi.Write(rw, http.StatusNotFound, httpapi.Response{`
`90`		`- Message: fmt.Sprintf("File %q not found.", hash),`
`91`		`- })`
	`90`	`+ httpapi.ResourceNotFound(rw, fmt.Sprintf("File %s", hash))`
`92`	`91`	`return`
`93`	`92`	`}`
`94`	`93`	`if err != nil {`
`@@ -99,8 +98,10 @@ func (api API) fileByHash(rw http.ResponseWriter, r http.Request) {`
`99`	`98`	`return`
`100`	`99`	`}`
`101`	`100`
`102`		`- if !api.Authorize(rw, r, rbac.ActionRead,`
	`101`	`+ if !api.Authorize(r, rbac.ActionRead,`
`103`	`102`	`rbac.ResourceFile.WithOwner(file.CreatedBy.String()).WithID(file.Hash)) {`
	`103`	`+ // Return 404 to not leak the file exists`
	`104`	`+ httpapi.ResourceNotFound(rw, fmt.Sprintf("File %s", hash))`
`104`	`105`	`return`
`105`	`106`	`}`
`106`	`107`
Original file line number	Diff line number	Diff line change
`@@ -47,9 +47,7 @@ func ExtractTemplateParam(db database.Store) func(http.Handler) http.Handler {`
`47`	`47`	`}`
`48`	`48`
`49`	`49`	`if template.Deleted {`
`50`		`- httpapi.Write(rw, http.StatusNotFound, httpapi.Response{`
`51`		`- Message: fmt.Sprintf("Template %q does not exist.", templateID),`
`52`		`- })`
	`50`	`+ httpapi.ResourceNotFound(rw, fmt.Sprintf("Template %s", templateID))`
`53`	`51`	`return`
`54`	`52`	`}`
`55`	`53`
Original file line number	Diff line number	Diff line change
`@@ -34,9 +34,7 @@ func ExtractTemplateVersionParam(db database.Store) func(http.Handler) http.Hand`
`34`	`34`	`}`
`35`	`35`	`templateVersion, err := db.GetTemplateVersionByID(r.Context(), templateVersionID)`
`36`	`36`	`if errors.Is(err, sql.ErrNoRows) {`
`37`		`- httpapi.Write(rw, http.StatusNotFound, httpapi.Response{`
`38`		`- Message: fmt.Sprintf("Template version %q does not exist.", templateVersionID),`
`39`		`- })`
	`37`	`+ httpapi.ResourceNotFound(rw, fmt.Sprintf("Template version %s", templateVersionID))`
`40`	`38`	`return`
`41`	`39`	`}`
`42`	`40`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -34,9 +34,7 @@ func ExtractWorkspaceBuildParam(db database.Store) func(http.Handler) http.Handl`
`34`	`34`	`}`
`35`	`35`	`workspaceBuild, err := db.GetWorkspaceBuildByID(r.Context(), workspaceBuildID)`
`36`	`36`	`if errors.Is(err, sql.ErrNoRows) {`
`37`		`- httpapi.Write(rw, http.StatusNotFound, httpapi.Response{`
`38`		`- Message: fmt.Sprintf("Workspace build %q does not exist.", workspaceBuildID),`
`39`		`- })`
	`37`	`+ httpapi.ResourceNotFound(rw, fmt.Sprintf("Workspace build %q", workspaceBuildID))`
`40`	`38`	`return`
`41`	`39`	`}`
`42`	`40`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -32,9 +32,7 @@ func ExtractWorkspaceParam(db database.Store) func(http.Handler) http.Handler {`
`32`	`32`	`}`
`33`	`33`	`workspace, err := db.GetWorkspaceByID(r.Context(), workspaceID)`
`34`	`34`	`if errors.Is(err, sql.ErrNoRows) {`
`35`		`- httpapi.Write(rw, http.StatusNotFound, httpapi.Response{`
`36`		`- Message: fmt.Sprintf("Workspace %q does not exist.", workspaceID),`
`37`		`- })`
	`35`	`+ httpapi.ResourceNotFound(rw, fmt.Sprintf("Workspace %s", workspaceID))`
`38`	`36`	`return`
`39`	`37`	`}`
`40`	`38`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -39,13 +39,15 @@ func (api API) putMemberRoles(rw http.ResponseWriter, r http.Request) {`
`39`	`39`	`added, removed := rbac.ChangeRoleSet(member.Roles, impliedTypes)`
`40`	`40`	`for _, roleName := range added {`
`41`	`41`	`// Assigning a role requires the create permission.`
`42`		`- if !api.Authorize(rw, r, rbac.ActionCreate, rbac.ResourceOrgRoleAssignment.WithID(roleName).InOrg(organization.ID)) {`
	`42`	`+ if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceOrgRoleAssignment.WithID(roleName).InOrg(organization.ID)) {`
	`43`	`+ httpapi.Forbidden(rw)`
`43`	`44`	`return`
`44`	`45`	`}`
`45`	`46`	`}`
`46`	`47`	`for _, roleName := range removed {`
`47`	`48`	`// Removing a role requires the delete permission.`
`48`		`- if !api.Authorize(rw, r, rbac.ActionDelete, rbac.ResourceOrgRoleAssignment.WithID(roleName).InOrg(organization.ID)) {`
	`49`	`+ if !api.Authorize(r, rbac.ActionDelete, rbac.ResourceOrgRoleAssignment.WithID(roleName).InOrg(organization.ID)) {`
	`50`	`+ httpapi.Forbidden(rw)`
`49`	`51`	`return`
`50`	`52`	`}`
`51`	`53`	`}`